SB2020010621 - Information disclosure in Debian Linux

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2019-18179)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated user to gain access to sensitive information.

An issue was discovered in Open Ticket Request System (OTRS) 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn't have permissions.

Remediation

Install update from vendor's website.

References

• http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.html
• https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
• https://lists.debian.org/debian-lts-announce/2020/01/msg00000.html